Microsoft and Cyber Command disrupt Russian ransomware network that could have messed with 2020 election

2

Microsoft and U.S. Cyber Command separately disrupted a massive Russian cybercrime-linked TrickBot ransomware computer network just weeks ahead of the 2020 presidential election amid concerns that foreign actors are seeking to meddle in the U.S. democratic process.

“Today we took action to disrupt a botnet called Trickbot, one of the world’s most infamous botnets and prolific distributors of ransomware. As the United States government and independent experts have warned, ransomware is one of the largest threats to the upcoming elections. Adversaries can use ransomware to infect a computer system used to maintain voter rolls or report on election-night results, seizing those systems at a prescribed hour optimized to sow chaos and distrust,” Microsoft corporate Vice President Tom Burt said in a Monday blog post. “In addition to protecting election infrastructure from ransomware attacks, today’s action will protect a wide range of organizations including financial services institutions, government agencies, healthcare facilities, businesses, and universities from the various malware infections Trickbot enabled.”

Microsoft’s public announcement about the takedown of a botnet linked to Russian hackers and other foreign actors comes shortly after the Washington Post reported on Friday that U.S. Cyber Command also “mounted an operation to temporarily disrupt what is described as the world’s largest botnet — one used also to drop ransomware, which officials say is one of the top threats to the 2020 election.”

The outlet cited four anonymous U.S. officials who said that the military’s cyberoperations against TrickBot are “not expected to permanently dismantle the network … but it is one way to distract them at least for a while as they seek to restore operations.”

The New York Times cited government officials when reporting on Monday that the U.S. government “had already started hacking TrickBot’s command and control servers around the world late last month” and wrote that Cyber Command has “kicked off a series of covert pre-emptive strikes on the Russian-speaking hackers it believes could aid” Russian President Vladimir Putin “in disrupting the casting, counting, and certifying of ballots this November.”

Paul Nakasone, a general in the Army who is both commander of U.S. Cyber Command and director of the National Security Agency, penned an op-ed for Foreign Affairs in August laying out how Cyber Command and the NSA “worked together to protect against meddling in the 2018 midterm elections.” Nakasone pointed to the creation of the Russia Small Group and highlighted Cyber Command sending personnel out on “several hunt forward missions, where governments had invited them to search for malware on their networks” and credited these aggressive “defend forward” tactics and newly acquired authorities by U.S. agencies in discussing how the “United States disrupted a concerted effort to undermine the midterm elections.” He vowed that “together with its partners, Cyber Command is doing all of this and more for the 2020 elections.”

The Department of Homeland Security’s threat assessment report from last week warned that “some state or non-state actors likely will seek to use cyber means to compromise or disrupt infrastructure used to support the 2020 U.S. Presidential election.” The report assessed that “malicious cyber actors likely will target election-related infrastructure as the 2020 Presidential election approaches, focusing on voter personal identifiable information, municipal or state networks, or state election officials directly.” Last month, the FBI and the DHS’s Cybersecurity and Infrastructure Security Agency warned about possible “Distributed Denial of Service attacks on election infrastructure can hinder access to voting information but would not prevent voting.”

William Evanina, who leads the National Counterintelligence and Security Center, warned in an August intelligence assessment that Russia is “using a range of measures to primarily denigrate” former Vice President Joe Biden, including that “pro-Russia Ukrainian parliamentarian Andriy Derkach is spreading claims about corruption — including through publicizing leaked phone calls — to undermine” Biden. The same statement said China “prefers” that President Trump not win reelection and is “expanding its influence efforts ahead of November 2020” in order to “pressure political figures it views as opposed to China’s interests.” The counterintelligence official also said that Iran “seeks to undermine” Trump’s presidency.

Microsoft previously warned in September that Russian, Chinese, and Iranian hackers have all been conducting cyberattacks, targeting people and organizations associated with the Trump and Biden campaigns and other organizations affiliated with the upcoming 2020 presidential election.

“From the standpoint of confidence in the system, I think it is much easier to disrupt a network and prevent it from operating than it is to change votes,” Adam Hickey, a deputy assistant attorney general in DOJ’s National Security Division, said in August.

“We’re seeing state and local entities targeted with ransomware on a near-daily basis,” Geoff Hale, director of the Election Security Initiative at DHS’s Cybersecurity and Infrastructure Security Agency, also said this summer.

Microsoft said on Monday that it disrupted TrickBot “through a court order we obtained as well as technical action we executed in partnership with telecommunications providers around the world” and that the ransomware had infected more than 1 million computers since 2016. In describing the criminal enterprise, Microsoft said that TrickBot’s “spam and spear phishing campaigns used to distribute malware have included topics such as Black Lives Matter and COVID-19, enticing people to click on malicious documents or links.”

DHS acting Secretary Chad Wolf said last week that “nation-states like China, Russia, and Iran will try to use cyber capabilities or foreign influence to compromise or disrupt infrastructure related to the 2020 U.S. Presidential election, aggravate social and racial tensions, undermine trust in U.S. authorities, and criticize our elected officials.”

Trump administration officials have suggested that China poses the biggest threat to the 2020 presidential election, while Democrats have insisted that Russia remains the greatest election challenge.

Robert Mueller’s 2019 special counsel report said that Russians interfered in the 2016 election in a “sweeping and systematic fashion” but “did not establish” criminal collusion between any Russians and anyone in Trump’s orbit.

View original post